Nowadays, a security accident such as information leakage is required to be prevented in advance. In order to keep a secure state where the security accident does not occur, a number of measures are applied to an information system. However, it is not easy to evaluate risks in a complicated information system, and also to determine necessary measures. For this reason, there is proposed a risk analysis system that evaluates risks inherent in an information system according to a predetermined risk model.
As a related risk analysis system, there is a system including, for example, a current status analysis input processing section, an asset input processing section, a vulnerability database, a threat database, and a risk calculating section. The risk analysis system operates as follows. Information for determining the existence or non-existence of vulnerability in an analysis target system is inputted by the current status analysis input processing section. On the basis of the inputted information, the vulnerability database is referred to, and the vulnerability is extracted. A threat corresponding to the extracted vulnerability is taken out from the threat database. The risk calculating section calculates a magnitude of a risk from a degree of the vulnerability and a magnitude of threat previously stored in the respective databases. In the risk analysis system described in Japanese Patent Application Publication (JP 2005-135239a) (Paragraphs 0054-0064, and FIG. 1), a relationship between a threat and a vulnerability stored in the threat and vulnerability databases, and their weights correspond to a risk model.
However, in the above-described risk analysis system, a risk inherent in the information system is only evaluated in a predetermined format according to the risk model including predetermined criteria. A risk may be dependent on a circumstance or environment inherent in an information system. In order to analyze such a risk, a system administrator or consultant who is a risk management expert should conduct a hearing with a user about the criteria or system environment to individually change the risk model in advance. However, even if the hearing with the user who is not a risk management expert is conducted, it is difficult to extract sufficient information to produce the risk model. For this reason, in a system in which a risk model is individually changed and then created in advance, the hearing is repeatedly conducted while a risk analyzed result is presented to a user, and thereby the risk model is adjusted.
Japanese Patent Application Publication (JP 2005-135239A) proposes a system in which, by referring to a risk analysis result and a parameter such as a weight of a threat or an effect of a measure used for a risk analysis, a circumstance or environment inherent in a system is reflected on a risk value in the calculation of the risk value.
In the system described in Japanese Patent Application Publication (JP 2005-135239A), an information security management apparatus includes a current status analysis input processing section, an asset input processing section, a vulnerability analyzing section, a threat analyzing section, a value changing section, a risk calculating section, a current status question database, an answer option table, a vulnerability database, and a threat database. The information security management apparatus operates as follows. That is, the current status analysis input processing section inputs a question and an answer about security measures. When a weight of the answer is equal to or more than a predetermined value, the vulnerability analyzing section obtains a vulnerability corresponding to an ID of the question and the weight of the vulnerability from the vulnerability database. The asset input processing section calculates a vulnerability value for each of the vulnerabilities on the basis of a corresponding asset value in an inputted asset list. The threat analyzing section calculates a threat value on the basis of a threat corresponding to an ID of the vulnerability and a weight of the threat. The risk calculating section calculates a risk value for each of the vulnerabilities on the basis of the asset value, the vulnerability value, and the threat value. Further, the value changing section displays a result of the calculation for each of the vulnerabilities and corresponding threat. If the displayed values are disagreed with, a risk analyst can use the value changing section to correct them.
However, with only having a function of changing the calculated values such as the vulnerability value and the threat value, no one knows whether or not these values are correct, and can determine where and how to change. For this reason, in spite of the existence of a serious risk, an accurate risk value may not be calculated to thereby overlook the risk. On the other hand, in spite of the non-existence of the risk, excessive measures may be practised. Also, an administrator or a consultant who is in charge of risk analysis of a plurality of analysis target systems should individually correct the vulnerability value and the threat value to suit a circumstance or environment of each of the analysis target systems, and prepare a risk model for each of the analysis target systems. For this reason, a lot of man-hours are required for the risk analysis, and an error is also likely to occur.
On the other hand, Japanese Patent Application Publication (JP-P2006-285825A) (Paragraph 0125-0134, and FIG. 2) describes an example of a system for producing a risk model even for an unprepared unknown risk to evaluate the risk. A support system for quantifying a risk described in Japanese Patent Application Publication (JP-P2006-285825A) includes: a risk quantity calculating section that calculates a risk quantity; a risk analysis model database that stores risk analysis models including calculation equations and retrieval indexes for risk quantities produced from risk cases; and a risk analysis model retrieving section that retrieves a risk analysis model corresponding to a risk item from the risk analysis model database by acquiring the risk item including a specific description of a risk content to compare the specific description with the retrieval indexes.
The support system for quantifying a risk having such a configuration operates as follows. That is, the risk analysis model retrieving section acquires the risk item including the specific description of the risk content to compare the specific description of the risk content with the retrieval indexes, and thereby retrieves the risk analysis model corresponding to the risk item from the risk analysis model database. Then, the risk calculating section uses the retrieved risk analysis model to calculate the risk quantity.
However, in the conventional support system for quantifying a risk described in the Japanese Patent Application Publication (JP-P2006-285825A), the specific description of the risk content that can be inputted cannot include a parameter such as an effect of a measure, or weight of a threat as in the above-described risk model. For this reason, the support system for quantifying a risk cannot solve a problem of correcting a risk model.